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Abstract 

Complex systems typically have many different parts and facets, with different 
characteristics. In a multi-paradigm approach to modeling, formalisms with differ- 
ent natures are used in combination to describe complementary parts and aspects 
of the system. This can have a beneficial impact on the modeling activity, as dif- 
ferent paradigms can be better suited to describe different aspects of the system. 
While each paradigm provides a different view on the many facets of the system, 
it is of paramount importance that a coherent comprehensive model emerges from 
the combination of the various partial descriptions. In this paper we present a 
technique to model different aspects of the same system with different formalisms, 
while keeping the various models tightly integrated with one another. In addition, 
our approach leverages the flexibility provided by a bounded satisfiability checker 
to encode the verification problem of the integrated model in the propositional 
satisfiability (SAT) problem; this allows users to carry out formal verification ac- 
tivities both on the whole model and on parts thereof. The effectiveness of the 
approach is illustrated through the example of a monitoring system. 

Keywords: Metric temporal logic, timed Petri nets, timed automata, discretiza- 
tion, dense time, bounded model checking. 

1 Introduction 

Modeling paradigms come in many different flavors: graphical or textual; executable 
or not; formal, informal, or semi-formal; more or less abstract; with different levels of 
expressiveness, naturalness, conciseness, etc. Notations for the design of real-time sys- 
tems, in addition, include a notion of time, whose characteristics add a further element 
of differentiation 1 14|. 

A common broad categorization of modeling notations distinguishes between oper- 
ational and descriptive paradigms ifTOl . Operational notations — such as Statecharts, 
finite state automata, or Petri nets — represent systems through the notions of state 
and transition (or event); system behavior consists in evolutions from state to state, 
triggered by event occurrences. On the other hand, descriptive paradigms — such 
as temporal logics, descriptive logics, or algebraic formalisms — model systems by 
declaring their fundamental properties. 

The distinction between operational and descriptive models is, like with most clas- 
sifications, neither rigid nor sharp. Nonetheless, it is often useful in practice to guide 
the developer in the choice of notation based on what is being modeled and what are 
the ultimate goals (and requirements) of the modeling endeavor. In fact, operational 
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and descriptive notations have different — and often complementary — strengths and 
weaknesses. Operational models, for instance, are often easier to understand by ex- 
perts of domains other than computer science (mechanical engineers, control engineers, 
etc.), which makes them a good design vehicle in the development of complex systems 
involving components of many different natures. Also, once an operational model has 
been built, it is typically straightforward to execute, simulate, animate, or test it. On 
the other hand, descriptive notations are the most natural choice when writing partial 
models of systems, because one can build the description incrementally by listing the 
(partial) known properties one at a time. For similar reasons, descriptive models are 
often excellent languages to document the requirements of a system: the requirements 
elicitation process is usually an incremental trial-and-error activity, and thus it benefits 
greatly from notations which allow cumulative development. 

When modeling timed systems, in addition, the choice of the time domain is a 
crucial one, and it can significantly impact on the features of the model iflOl . For 
example, a dense time model is typically needed to represent true asynchrony. Discrete 
time, instead, is usually more amenable to automated verification, and is at the basis 
of a number of quite mature techniques and tools that can be deployed in practice to 
verify systems. 

In this paper we present a technique to model different aspects of the same system 
with different formalisms, while keeping the various models tightly integrated with one 
another. In this approach, modelers can pick their preferred modeling technique and 
modeling paradigm (e.g., operational or descriptive, continuous or discrete) depend- 
ing on the particular facet or component of the system to be described. Integration 
of the separate snippets in a unique model is made possible by providing a common 
formal semantics to the different formalisms involved. Finally, our approach leverages 
the flexibility provided by a bounded satisfiability checker to encode the verification 
problem of the integrated model in the propositional satisfiability (SAT) problem; this 
allows users to carry out formal verification activities both on the whole model and on 
parts thereof. 

The technique presented in this paper hinges on Metric Temporal Logic (MTL) to 
provide a common semantic foundation to the integrated formalisms, and on the re- 
sults presented in |fl3l to integrate continuous- and discrete-time MTL fragments into 
a unique formal description. Operational formalisms can then be introduced in the 
framework by providing suitable MTL formalizations, which can then be discretized 
as well according to the same technique. While this idea is straightforward in principle, 
putting it into practice is challenging for several basic reasons. First, in order to have 
full discrete-time decidability we have to limit ourselves to propositional MTL 0); its 
relatively limited expressive power makes it arduous to formalize completely the be- 
havior of operational models (some technical facts, briefly described in Section|2] jus- 
tify this intuition). Second, even if we used a more expressive first-order temporal-logic 
language, formalizing the semantics of "graphical" operational formalisms is usually 
tricky as several semantic subtleties that are "implicit" in the original model must be 
properly understood and resolved when translating them into a logic language. See 
for instance extensive discussions of such subtleties in [ 8 1 for timed Petri nets and in 
|[T9l for Statecharts. Third, not any MTL axiomatization is amenable to the discretiza- 
tion techniques of ifTTIl . as syntactically different MTL descriptions yielding the same 
underlying semantics provide discretizations of wildly different "qualities". Indeed, 
experience showed that the most "natural" axiomatizations of operational formalisms 
require substantial rewriting in order to work reasonably well under the discretiza- 
tion framework. Crafting suitable MTL descriptions has proved demanding, delicate, 
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and crucially dependent on the features of the operational formalism at hand. In this 
respect, our previous work [12| focused on a variant of Timed Automata (TA) — a 
typical "synchronous" operational formalism. The formalization of intrinsically asyn- 
chronous components — such as those that sit at the boundary between the system 
and its environment — demands however the availability of a formalism that is both 
operational and "asynchronous". To this end, the present paper develops an axiomati- 
zation of Timed Petri Nets (TPN), an "asynchronous" operational formalism, integrates 
all three formalisms (MTL, TA, and TPN) into a unique framework, and evaluates an 
implementation of the framework on a monitoring system example. 

The paper is structured as follows. Section [TT| briefly discusses some works that are 
related to the approach and technique presented in this article. Section|2]introduces the 
relevant results on which the modeling and verification approach presented in this paper 
are based; more precisely, the section introduces MTL, timed automata and their MTL- 
based semantics, and the discretization technique for continuous-time MTL formulas. 
Section |3]presents the (continuous-time) MTL semantics of timed Petri nets and uses 
it to derive a discretized version of timed Petri nets that can be input to verification 
engines for discrete-time MTL (e.g., Zot). Section|4]shows how the various formalisms 
can be used to describe, and then combine together in a unique model, different aspects 
and parts of the same system; in addition, it reports on some verification tests carried 
out on the modeled system. Finally, Section [5] concludes and outlines some future 
works in this line of research. 

1.1 Related work 

Combining different modeling paradigms in a single framework for verification pur- 
poses is not a novel concept. In fact, there is a rich literature on dual-language ap- 
proaches, which combine an operational formalism and a descriptive formalism into 
one analysis framework iflOl . The operational notation is used to describe the system 
dynamics, whereas the properties to be checked are expressed through the descriptive 
notation. Model-checking techniques [7 1 are a widely-used example of a dual-language 
approach to formal verification. Dual-language frameworks, however, usually adopt a 
rigid stance, in that one formalism is used to describe the system, while another is 
used for the properties to be verified. In this work we propose a flexible framework in 
which different paradigms can be mixed for different design purposes: system model- 
ing, property specification and also verification. 

Modeling using different paradigms is a staple of UML [18|. In fact, the UML 
modeling language is actually a blend of different notations (message sequence charts, 
Statecharts, OCL formulas, etc.) with different characteristics. The UML framework 
provides means to describe the same (software) systems from different, possibly com- 
plementary, perspectives. However, the standard language is devoid of mechanisms to 
guarantee that an integrated global view emerges from the various documents or that, 
in other words, the union of the different views yields a precise, coherent model. 

Some work has been devoted to the (structural) transformation between models to 
re-use verification techniques for different paradigms and to achieve a unified seman- 
tics, similarly to the approach of this paper. Cassez and Roux [5| provide a structural 
translation of TPN into TA that allows one to piggy-back the efficient model-checking 
tools for TA. Our approach is complementary to f5) and similar works^jin several ways. 
First, our transformations are targeted to a discretization framework: on the one hand, 

'See the related work section of [5] for more examples of transformational approaches. 
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this allows a more lightweight verification process as well as the inclusion of discrete- 
time components within the global model; on the other hand, discretization introduces 
incompleteness that might reduce its effectiveness. Second, we leverage on a descrip- 
tive notation (MTL) rather than an operational one. This allows the seamless inte- 
gration of operational and descriptive components, whereas the transformation of [5| 
stays within the model-checking paradigm where the system is modeled within the op- 
erational domain and the verified properties are modeled with a descriptive notation. 
Also, state-of-the-art of tools for model-checking of TA (and formalisms of similar ex- 
pressive power) do not support full real-time temporal logics (such as TCTL) but only 
a subset of significantly reduced expressive power. We claim that the model and prop- 
erties we consider in the example of Section|4]are rather sophisticated and deep — even 
after weighting in the inherent limitations of our verification technique. 

For the sake of brevity, we omit in this report a description of related works on the 
discretization of continuous -time models. The interested reader can refer to [ 1 1 1 for a 
discussion of this topic. 

2 Background 

2.1 Continuous- and discrete-time real-time behaviors 

We represent the concept of trace (or run) of some real-time system through the notion 
of behavior. Given a time domain T and a finite set V of atomic propositions, a behav- 
ior b is a mapping b : T — > 2 V which associates with every time instant ieT the set 
b(t) of propositions that hold at t. Bt denotes the set of all behaviors over T (for an 
implicit fixed set of propositions), t 6 T is a transition point for behavior b iff t is a 
discontinuity point of the mapping b. Depending on whether T is a discrete, dense, or 
continuous set, we call a behavior over T discrete-, dense-, or continuous-time respec- 
tively. In this report, we assume the natural numbers IN as discrete time domain and 
the nonnegative real numbers R>o as continuous (and dense) time domain. 

Non-Zeno and non-Berkeley. Over continuous-time domains, it is customary to 
consider only physically meaningful behaviors, namely those respecting the so-called 
non-Zeno property. A continuous-time behavior b is non-Zeno if the sequence of tran- 
sition points of b has no accumulation points. For a non-Zeno behavior b, it is well- 
defined the notions of values to the left and to the right of any transition point t > 0, 
which we denote as b~(t) and b + (t), respectively. When a proposition p G V is such 
that p £ b~(t) 4$ p $f b + (t) (i.e., p switches its truth value about t), we say that p is 
"triggered" at t. In order to ensure reducibility between continuous and discrete time, 
we consider non-Zeno behaviors with a stronger constraint, called non-Berkeleyness. 
A continuous-time behavior b is non-Berkeley for some positive constant 5 € R>o if, 
for all t € T, there exists a closed interval [u, u + S] of size 6 such that t E [u, u + 5] 
and b is constant throughout [u, u + 5]. Notice that a non-Berkeley behavior (for any 
(5) is non-Zeno a fortiori. The set of all non-Berkeley continuous-time behaviors for 
S > is denoted by C Br >0 . In the following we always assume behaviors to be 
non-Berkeley, unless explicitly stated otherwise. 

Syntax and semantics. From a purely semantic point of view, one can consider the 
model of a (real-time) system simply as a set of behaviors (3] [9] over some time domain 
T and sets of propositions. In practice, however, systems are modeled through some 
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suitable notation: in this paper we consider a mixture of MTL formulas (15\ l4l. TA 
CD ID, and TPN @. Given an MTL formula, a TA, or a TPN fj,, and a behavior b, 
b \= /i denotes that b represents a system evolution which satisfies all the constraints 
imposed by [i. If b \= ix for some b 6 Bt, H is called T-satisfiable; if b \= n for 
all b G B^, /i is called T-valid. Similarly, if fo j= yu for some 6 S is called 

X S -satisfiable; if b \= fi for all b e B & x , [i is called x 5 -valid. 

2.2 Descriptive notation: Metric Temporal Logic 

Let V be a finite (non-empty) set of atomic propositions and J be the set of all (possi- 
bly unbounded) intervals of the time domain T with rational endpoints.We abbreviate 
intervals with pseudo-arithmetic expressions, such as = d, < d, > d, for [d, d], (0, d), 
and [d, +oo), respectively. 

MTL syntax. The following grammar defines the syntax of (propositional) MTL, 
where I & J and p e V . 

::= P I ^ I <f>i A 02 | U J (0 1 , 2 ) I SjOi, 2 ) 

The basic temporal operators of MTL is the bounded until U 7 (0i, 02 ) (and its past 
counterpart bounded since S 7 ) which says that </>i holds until </>2 holds, with the addi- 
tional constraint that fa must hold within interval /. Throughout the paper we omit the 
explicit treatment of past operators (i.e., S 7 and derived) as it can be trivially derived 
from that of the corresponding future operators. 

MTL semantics. MTL semantics is defined over behaviors, parametrically with re- 
spect to the choice of the time domain T. While the semantics of Boolean connectives 
and In particular, the definition of the until operators is as follows: 

b(t) |=t Uj((pi,fa) iff there exists del such that: b(t + d) |=t 4>2 

and, for all u £ [0, d] it is b(t + u) \=t (pi 

b^ T (/> iff for all t € T: b(t) |= T 4> 

We remark that a global satisfiability semantics is assumed, i.e., the satisfiability 
of formulas is implicitly evaluated over all time instants in the time domain. This 
permits the direct and natural expression of most common real-time specifications (e.g., 
time-bounded response, time-bounded invariance, etc.) without resorting to nesting of 
temporal operators. 

Granularity. For an MTL formula <j), let J§ be the set of all non-null, finite interval 
bounds appearing in (j>. Then, X>j, is the set of positive values S such that any interval 
bound in is an integer if divided by 5. 

2.2.1 Derived (temporal) operators. 

It is customary to introduce a number of derived (temporal) operators, to be used as 
shorthands in writing specification formulas. We assume a number of standard abbre- 
viations such as _L, T, V, =>, <^>; when / = (0, oo), we drop the subscript interval in 
temporal operators. All other derived operators used in this paper are listed in Table [T] 
(5 € E,>o is a parameter used in the discretization techniques, discussed shortly). In 
the following we describe briefly and informally the purpose of such derived opera- 
tors, focusing on future ones (the meaning of the corresponding past operators is easily 
derivable). 
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• For propositions in the set {7(2;) | x 6 X}, Q xeX cY l( x ) states that 7(2;) 
holds for all x in X and does not hold for all x in the complement set Y \ X. 

• A few common derived temporal operators such as R J; 0/, □/ are defined with 
the usual meaning: R 7 {release) is the dual of the until operator; 0/(0) means 
that happens within time interval I in the future; □/(</>) means that holds 
throughout the whole interval / in the future. 

• 0(0) an d 0(0) are useful over continuous time only, and describe holding 
throughout some unspecified non-empty interval in the strict future; more pre- 
cisely, if t is the current instant, there exists some if > t such that holds over 
(t, t'), where the interval is left-open for O ar, d left-closed for O- 

• A and ▲ describe different types of transitions. Namely, A(0i,02) describes 
a switch from 0i to 02, irrespective of which value holds at the current instant, 
whereas A(0i, 02) describes a switch from <f>i to 2 such that <f>i holds at the 
current instant and 02 will hold in the immediate future. Note that if A(0i, 02) 
holds at some instant t, A(0i, 02) holds over (t — S,t). 

• A(0) , A(0) are shorthands for transitions of a single item; correspondingly the 
I, I, III "trigger" operators are introduced: ?(0) denotes a transition of from false 
to true or vice versa, whereas |(0) describes a similar transition where the value 
of at the current instant is unspecified. ffi(0' ~~> 0) describes a more complex 
transition of 0, one which is "triggered" by the auxiliary proposition 0'. 

• It is also convenient to introduce the "dual" operators I, ffi which describe "non- 
transitions" of their argument. For instance, ?(0) says that the truth value of 
(whatever it is) does not change from the current instant to the immediate future. 

• Finally, Alw(0) expresses the invariance of 0. Since b |=t A1w(0) iff b |=t 0, 
for any behavior b, Alw(0) can be expressed without nesting if is flat, through 
the global satisfiability semantics introduced beforehand. 



2.3 Operational notations: Timed Automata and Timed Petri Nets 

For lack of space, we omit a formal presentation of TA, which have been however 
introduced in the framework in previous work lfT2ll and focus on MTL and TPN in 
the following. Section [4] will however informally illustrate the syntax and semantics 
of TA on an example, with a level of detail sufficient to understand its role within the 
framework. 

Timed Petri nets syntax. A Timed Petri Net (TPN) is a tuple N = (P,T, F, M ,a, 0): 

• P is a finite set of places; 

• T is a finite set of transitions; 

• F C (P x T) U (T x P) is the ./tow relation; 

• Mq : P — > IN is the initial marking; 

• a : T — > Q>q gives the earliest firing times of transitions; and 
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Operator = 


Definition 


0, 6 xcrTW = 




R,(0i,0 2 ) = 

"^(01,02) EE 

Oi(0) = 


-.u^c-.^!,-.^) 

-.Sj(-.01, ^0 2 ) 

U Z (T, 0) 
Sj(T,^ 
R,(-L,0) 
T,(_L,0) 


O(0) 


U (o. + oo)(^ T ) v (-0 A R ( o, + oo) 0> -L» 
S (o,+~) W. T ) v (-^ A T (0)+oo) (<£, X)) 

0AQ(0) 

0A(5(0) 


A(0i,0 2 ) = 

A(01,0 2 ) = 


Jb(0i) A (02 VOW) ifT = R> 

foil A sfeta 1 ) if T — R-,n 
\4>i A O =1 (0 2 ) ifT = M 


A(0) 
A(0) 

8(0) = 

w(<t>'~*<t>) = • 


A(^0,0) 
A(-0,0) 

^WvAH) 

O(-0) A □ =5 (^' 0) V O(0) A D =5 (0' => -0) if T = R> 
□ [0il] (-,0) A D [0|2] (0' 0) V □ [0>1] (0) A □ [0>3] (0' => -0) if T = IN 


tW = 
m(4>' ~* = • 


A(0,0) 
A(0,0) V A(-.0,-.0) 

O(0)AD =5 (0'^0) V O(- < 0)aD = ,(0'^^0) ifT = R> 
□ [0.^(0) A □ [o ,2](0' =>■ 0) V □,„,!] (-0) A P [0)3] (0' =>. ^0) if T = IN 


Alw(0) = 


0AD (O- + oo) (0) A □ (o , + O o)(0) 



Table 1 : MTL derived temporal operators 



• (3 : T — > Q>o U {oo} gives the latest firing times of transitions. 

In general, a mapping M : P — > IN is called a marking of AT. Given a 6 P U T, let 
•a = {b | &Pa} and <z» = {b \ aFb} denote the preset and postset of a, respectively. 
We assume that every node n e PUT has a nonempty preset or a nonempty postset 
(or both); this is clearly without loss of generality. 

Timed Petri nets semantics. The semantics of TPN is usually given as sequences of 
transition firings and place markings; see J6] for formal definitions. Correspondingly, 
a TPN is called k-safe for k £ M iff for every reachable marking M it is M(p) < k for 
all p £ P. A TPN that is fc-safe for some k £ IN is called bounded. 

In this report we assume 1-safe TPN. This allows a simplified description of the 
semantics, where any marking is completely described by a set M C P of places such 
that a place is marked iff it is in M. We remark, however, that extending the presen- 
tation to generic bounded TPN would be routine. On the other hand, unbounded TPN 
would not be discretizable according to the notion of Section |2.4| hence they would 
fit only in a different framework. To further simplify the presentation, we assume 
non-Berkeley behaviors for some generic 6 > in presenting the semantics; corre- 
spondingly we do not have to consider zero-time transitions as every enabled transition 
is enabled for at least 5 time units. 

The continuous-time semantics of a 1-safe TPN TV = (P, T, F, Mo,a,f3) can 
be conveniently introduced for behaviors over propositions inP = /iUeUr = 
{n(p), e(p) | P £ P} U {r(t) | t £ T} as follows. Intuitively, at any time t over a be- 
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havior b, fi(p) € b(t) denotes that place p is marked; t(u) being triggered at t denotes 
that transition u fires at t; and e(p) being triggered at t denotes that place p undergoes 
a "zero-time unmarking", as it will be defined shortly]^] Then, & is a run of TPN N, and 
we write b \=r >0 N, iff the following conditions hold: 

• Initialization: b(0) = e U r U U p gm Mp)' an( ^ there exists a transition instant 
istart > (j^such that: = (t) for all < t < t Btart and 6 + (i sta rt) = 
rU UpeM„M(p). 

• Marking: for all instants u > i s tart sucn mat /"(p) ^ b~(u) and ^i(p) 6 

we say that p becomes marked. Correspondingly, there exists a transition t E up 
such that: (i) r(t) is triggered at u, (ii) for no other transition t' E up (other than 
t itself) r(t') is triggered at u, and (iii) for no transition t € p» r(t) is triggered 
at u. 

• Unmarking: for all instants u > t star t such that /i(p) e b~(u) and /i(p) ^ 

we say that p becomes unmarked. Correspondingly, there exists a transition 
t 6 pu such that: (i) r(t) is triggered at u, (ii) for no other transition t' € p» 
(other than £ itself) r(t') is triggered at it, and (iii) for no transition t 6 up r(t) 
is triggered at u. 

• Enabling: for all instants u > i s t a rt such that t(£) is triggered at u, all places 
p € »t must have been marked continuously over (u — a(t),u) without any 
zero-time unmarkings of the same places occurring. 

• Bound: for all instants u > t stm - t such that r(t) has not been triggered anywhere 
over (u — f](t),u) and all places p E ut have been marked continuously, one 
of the following must occur: (i) all such p's becomes unmarked at u, (ii) r(t) is 
triggered at u, or (iii) all such p's are still marked "now on" and some p E •< 
undergoes a zero-time unmarking (i.e., e(p) is triggered at u). 

• Effect: for all instants u > t star t such that r(t) is triggered at u, any place p E »i 
becomes unmarked or undergoes a zero-time unmarking, and any place p E t» 
becomes marked or undergoes a zero-time unmarking. 

• Zero-time unmarking: for all instants u > t star t such that e(p) is triggered at 
u we say that p undergoes a zero-time unmarking. Correspondingly, there exist 
transitions t a E »p and i& E p» such that r(i Q ) is triggered, r(£b) is triggered, 
and for no other transition t' E »p U p» (other than t a ,ti,) r(t') is triggered. 

2.4 Discrete-time approximations of continuous-time specifications 

This section provides an overview of the results in ifTTl that will be used as a basis 
for the technique of this paper. The technique of IfTTl is based on two approxima- 
tion functions for MTL formulas, called under- and over-approximation. The under- 
approximation function £1$ maps continuous -time MTL formulas to discrete-time for- 
mulas such that the non-validity of the latter implies the non-validity of the former, 
over behaviors in B b x ; in other words £1$ preserves validity from continuous to dis- 
crete time. The over-approximation function Os maps continuous -time MTL formulas 

2 The dual "zero-time markings" do not occur over non-Berkeley behaviors as a consequence of zero-time 
transitions not occurring. 

3 In the following, we will assume that t a tart S [0, 28] for the discretization parameter 8 > 0. 



8 



to discrete-time MTL formulas such that the validity of the latter implies the validity 
of the former, over behaviors in 0*. We have the following fundamental verification 
result, which constitutes the basis of the whole verification framework in the paper. 

Proposition 1 (Approximations ifTTIO . For any MTL formulas (/>%, <f>2, and for any S S 

^Vi.cfe-' (1) iyAlw(fia (4>i)) Alw(Os (4> 2 )) is K-valid, then Alw(0i) =J> Alw(</> 2 ) 
is x i '-valid; and (2) if Alw(0$ (4>i)) Alw(f2^ (^2)) is notK-valid, then Alw(</) 1 ) => 
Alw(02) is not x & -valid. 

Proposition [T] suggests the following verification approach for MTL. Assume first 
a system modeled as an (arbitrarily complex) MTL formula </> sys ; in order to verify if 
another MTL formula <f> prop holds for all run of the system we should check the validity 
of the derived MTL formula Alw(</> sys ) =>■ Alw(0 prop ) which postulates that every run 
of the system also satisfies the property. Over continuous time, we would build the 
two discrete-time formulas of Proposition [T] and infer the validity of the continuous- 
time formula from the results of a discrete-time validity checking. The technique is 
incomplete as, in particular, when approximation (1) is not valid and approximation 
(2) is valid nothing can be inferred about the validity of the property in the original 
system over continuous time. 

Consider now another notation Af (e.g., TA or TPN); if we can characterize the 
continuous-time semantics of any system described with Af by means of a set of MTL 
formulas, we can reduce the (continuous-time) verification problem for Af to the (con- 
tinuous-time) verification problem for MTL, and solve the latter as outlined in the 
previous paragraph. 

There are, however, several practical hurdles that make this approach not straight- 
forward to achieve. First, the application of the over- and under- approximations of 
ifTTI requires MTL formulas written in a particular form and which do not nest tempo- 
ral operators. Although in principle every formula can be transformed in the required 
form (possibly with the addition of a finite number of fresh propositional variables), 
not any transformation is effective. That is, it turns out that semantically equivalent 
continuous-time formulas can yield dramatically different — in terms of efficacy and 
completeness — approximated discrete-time formulas. The axiomatization of opera- 
tional formalisms (such as TA and TPN) is all the more extremely tricky and requires 
different sets of axioms, according to whether they will undergo under- or over- approx- 
imation. However, all different axiomatizations will be shown to be continuous-time 
equivalent, hence the intended semantics is captured correctly in all situations. The ap- 
plication in practice of the MTL verification technique will use the "best" set of axioms 
in every case. 



3 Discretizable MTL Axiomatizations of TPN 



It is not too hard to devise a general, continuous -time axiomatization of the semantics 
of a non-trivial subclass of TPN. However, this axiomatization — for reasons that are 
similar to those discussed in lfT2l for the TA axiomatization — yields a poor discretized 



counterpart when the technique of Section 2.4 is applied. Then, this section describes 



three equivalent (for non-Berkeley behaviors) continuous-time axiomatizations of the 
semantics of TPN (as introduced in Section 2.3 1: a generic one (Section 3.1 1, one that 



works best for discrete-time under-approximation (Section 3.2 1, and one that works 
best for discrete-time over-approximation (Section [3.4| >. Sections [53] and [33] produce 
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respectively the corresponding discrete-time formulas that will be used in the verifica- 
tion problem. Throughout this section, assume a TPN N = (P, T, F, Mq, a, f3) and 
the set of propositions P = /jUeUrasin the definition of their semantics (Section 
|2.3| >. The axiomatization of TPN presented in this paper imposes that, in every mark- 
ing, a place can contain at most one token. As a consequence, it captures all evolutions 
of any TPN that is 1-safe; however, it is also capable of describing, for a TPN that 
is not 1-safe (i.e., which has reachable markings such that at least one place contains 
more than one token) the sequences of markings in which every place has at most one 
token. For 1-safe TPN (either by construction or by imposition) any marking M is 
completely described by the subset of places that are marked in M, which simplifies 
their formalization. We remark, however, that extending the axiomatization to include 
generic bounded TPN would be routine. 



3.1 Generic axiomatization 

The continuous-time semantics of a 1-safe TPN N = (P, T, F, Mq, a, (3) can be de- 
scribed through the set of propositions V = \i U e U r, where \i = {/i p | p S P}, 
e = {e p | p 6 P} and r = {t u | u 6 T}. Intuitively, at any time t in a behavior 
b, fip € b(t) denotes that place p is marked; t u being "triggered" (see Section |2| at t 
denotes that transition u fires at t; and e p being triggered at t denotes that place p un- 
dergoes a "zero-time unmarking", that is, p is both unmarked and marked at the same 
instant (hence does not change the number of contained tokens), as it will be defined 
shortlyrl Then, 6 is a run of TPN N, and we write b |=r >0 N, iff the conditions listed 
below hold. 



3.1.1 Places 

Marking and unmarking of place p € P is described by linking transitions of \x p to 
transitions of t u for transitions u in the pre and postset of p. The trigger operator 
I (matching A) is used for t u as the actual truth value of t u after the transition is 
irrelevant as long as a transition occurs. 

Marking: For all instants t such that fj, p becomes true in t we say that p becomes 
marked. Correspondingly, there exists a transition u E up such that: (i) r u is triggered 
at t, (ii) for no other transition u' e »p (other than u itself) t u > is triggered at t, and 
(iii) for no transition u" e pu t(u") is triggered at t. This corresponds to the following 
axioms. 



( V ue . P A A u ^ uemp i(Tu>)) A A uep . I(r„) 



(1) 



V 



□ 



(0,oo) 



P^Mq : A(n P ) =*■ \/ *( T «) A A ^ r «') A A ^ r «) 



(2) 



4 The dual "zero-time markings" (in which a place p is both marked and unmarked at the same instant, 
and hence remains empty) do not occur over non-Berkeley behaviors since, over these behaviors, transitions 
cannot fire in the same instant in which they are enabled. 
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Unmarking: For all instants t such that /i p becomes false in t we say that p becomes 
unmarked. Correspondingly, there exists a transition u E p» such that: (i) r„ is trig- 
gered at i, (ii) for no other transition u' 6 pu (other than u itself) t u > is triggered at t, 
and (iii) for no transition u" € »p t(u") is triggered at t. 

A(-Mp) V ? ( r «) A A »(v) A /\ I(r u ) (3) 



3.1.2 Transitions 

The lower and upper bounds on the firing of transition u are specified by necessary and 
sufficient conditions, respectively, on transitions of proposition t u . Earliest and latest 
firing times are introduced through MTL real-time constraints. A non-firing transition 
u stays enabled as long as ji p (for p in <'s preset) holds continuously. 



Enabling: For all instants t such that t u is triggered at t, all places p 6 »u must have 
been marked continuously over (t — a(u),t) without any zero-time unmarkings of the 
same places occurring. 



1(t u ) 



A 



0(Mp A e p ) A O {0 a(u)) ((i p A e p ) 
V 



(4) 



(0,a(u)) 

(fi p A^e p ) J 



Bound: For all instants t such that t u has not been triggered anywhere over (t — 
P(u),t) and all places p G uu have been marked continuously, one of the following 
must occur: (i) one of such p's becomes unmarked at i, (ii) t u is triggered at t, or 
(iii) all such p's are still marked in b + (t) and some p G »u undergoes a zero-time 
unmarking (i.e., e p is triggered at t). This is formalized by introducing two axioms for 
each transition u 6 T. 



A 



( 



V 

D (0„3( u ))0p) " £ P V OHp) 
A 

v 



(5) 



V 



Vp e .„(-Mp vO(-Pp)) 
v 

D (o,^(^))( e p) => ^p v OK) 

A 



J (0,/3(u))(^ e p) 
V 



(6) 



Axioms (|5|j6]l impose a so-called "strong time semantics" to the TPN model (8). 
This is a departure from the notion of TA formalized in lfl2ll . for which the axioms 
impose what is in fact a weak time semantics ifTUl . 
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Effect: For all instants t such that r„ is triggered at t, every place p E »u either 
becomes unmarked or undergoes a zero-time unmarking, and every place p E uu either 
becomes marked or undergoes a zero-time unmarking. 



l(r u ) => A ( A (-Mp)V«(e P ) ) A f\ ( A( Mp )V«(e p ) ) (7) 

3.1.3 Zero-time unmarking 

For all instants t such that e p is triggered at £ we say that p undergoes a zero-time 
unmarking. Correspondingly, there exist transitions u a E »p and E p» such that 
r Ua is triggered, r Ui) is triggered, and for no other transition u' E »p U p» (other than 
"a,"b) t u > is triggered. 

/ ifa.) a A u ^ Uae . p i(T U >) \ 

=► V A (8) 

3.1.4 Initialization 

6(0) = (Ut, and there exists a transition instant i s tart > such that: b(t) = 6(0) for 
all < t < t stavt and 6 + (i sta rt) = e U t U {J p eM ^- e " the P laces in me initial 
marking become marked at t sta rt)- This is captured by the following axiom: 



at 0: /\ -.0,, A [0>a *] A ^ A O A e P A A T A (9) 

p£P \pGA/ n / \p£P uET J 

Finally, given a TPN N, the MTL formula tp^ formalizing N is the conjunction of 
axioms <[TT-l9b instantiated for each place and transition of N. 



3.2 Axiomatization for under-approximation 

As also discussed in [12|, operator A yields very weak under-approximations when 
used to the left-hand side of implications. It turns out that the under-approximation of 
A(^i, (j)^) is the discrete-time formula □ j ^ (<j>i) A <p2- For a proposition x, A(x) is 

then the unsatisfiable formula □ r i](~>ic) A x; correspondingly all implications with 
such formulas as antecedent are trivially true and do not constrain in any way the 
discrete-time system. 

The approximations can be significantly improved by using the more constraining 
▲ in place of A. One can check that the under-approximation of k(x) is k(x) itself, 
which describes a discrete-time transition with holding at the current instant and 
x holding at the next instant. Correspondingly, all instances of A are changed into 



instances of ▲ in 0491 yielding ( 11 - 18 1 
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3.2.1 Places 



p G M : A (pip) = 

p ^ M : A(/z p ) 
A(-./ip) 



v I (HI) 

^[O.oojC -1 ^?) 

V„ e .p (ifrO A A^^e.pK^')) A A ue p. H T «) (H) 

V IKO a A fr*)) A A >( r «) < 12 > 



3.2.2 Transitions 



Hp Ae p A □(o,a(«)-«)(Mp Ae p ) 

A I <_ v 

f e,M V A -ne p A □ (0ia ( u )_ 4 )(/*p A -e P ) 
Same as ([5| 
Same as ([6| 

/\ ( A(-./ip)V?(c P ) ) A /\ ( A( M p)V?(e p ) 



3.2.3 Zero-time unmarking 



3.2.4 Initialization 



/ K^J A A„' #tlae .pK^') 

V A 

«a|.p V A Au'^ep.^ 7 ""') 



(13) 

(14) 
(15) 
(16) 



(17) 



□ 



[5,oo) 



(-L) 



A A °[o,25] A mp A o A e p A A 



p£P 



\peM„ 



(18) 



It can be shown that (|T]-[9]l are equivalent to ( 10 - 18 i over behaviors that are non- 
Berkeley for 5. For instance, consider |2]i and (111. In order to show that Q implies 
(111, let (El and k(fi P ) hold at the current time instant z. A(/i p ) implies that there 
exists a z G [z, z + S] where fx p shifts from false to true. (|2j) evaluated at z' entails 
(among other things) that l(r«) holds at z' for some t; that is, r u is triggered at z' . 
Without loss of generality, assume that t u is false before z' and is true after it. The 
non-Berkeleyness assumption allows us to strengthen this fact, so that r u is false at z 
as well and is true until z + S, because z' G [z, z + 5]. Hence 1(t u ) holds at z. The 
rest of the implication is proved similarly. The proof of the converse implication that 
(Hi implies Q also relies on the non-Berkeleyness assumption, which guarantees that 
there is exactly one transition of fi p over [z, z + 5] as a consequence of A(/i p ) holding 
at z. We omit the details of the proof, which are however along the same lines. 
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3.3 Under-approximation 



The under-approximations of (jTOHrSJ are reported as formulas (19 - 27 1. Notice the 



lower- and upper-bound relaxations in ( 22 24 1, in accordance with the notion of under- 
approximation. 



3.3.1 Places 



Syntactically the same as in ( 10 1 
Syntactically the same as in ( 11 1 
Syntactically the same as in ( 12 1 



(19) 
(20) 
(21) 



3.3.2 Transitions 



A 



p£*u 



J [0,/3(u)/«] 



T u A /\ li p 
p£mu 



CpAe p A □ [l, „(„)/{ _ 2 ] (Mp A e p ) 
V 

tip A ne p A □[i,„( u )/a_ 2 ](Mp A ^£ p ) 



V P6 „ 



V pe .„0 = 1 (-M P ) 

V 

D [o„3( u )/<s]( e p) => =1 (->e P ) 
A 

'-' [o,3(u)/5] (^ e p) 0=i( e p) 
V 

=1 (-T„) 



v pe .„ o =1 (-m p ) 



v pe . u _ 



[0,/3(i»)/<5] ( e p) C , = 1 (^e p ) 
A 

[0,/3(u)/S] <7 e p) = l(«p) 

v 

=1 (r„) 



Syntactically the same as in jl6[ 



(22) 



(23) 



(24) 



(25) 



The straightforward under-approximation of ( 14 1 and ( 15 i yields formulas which 
have been re-arranged to eliminate redundant terms. In fact, the time bound (0, (3(u)) in 
the antecedent becomes [0, f3(u)/6] when under-approximated. Hence, formulas such 



as D( ^(u)) (7) => ^7 V 0(^7) are under-approximated as □ j 



0(u)/8] 



(7) 



^7 V 



0[ y (~>7). However, ^7 never holds at the current instant because it would contradict 
the antecedent. Correspondingly, such formulas can be simplified to □ r /3t u )/s] (7) ^ 
0-,( '7). 



3.3.3 Zero-time unmarking 



Syntactically the same as in ( fTT) 



(26) 



3.3.4 Initialization 



atO: /\ ^ P A0 M A A A e P A A r « (27) 
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3.4 Axiomatization for over-approximation 

Continuous-time operator A becomes^] discrete-time operator ▲ under over-approxi- 
mation when it occurs to the left-hand side of implications, hence is suitable to de- 
scribe antecedents of transitions that will be over-approximated. However, the over- 
approximation of the same operator takes a different form in the right-hand side of 
implications. In such cases, the over-approximation of formulas such as A(x) is 
□ [o jj (->x) ADfq ji (x) which is clearly unsatisfiable. Correspondingly, the whole over- 
approximation formulas would be unsatisfiable only for false antecedents, i.e., when no 
transition ever occurs. 

After careful experimentation, we found that a workaround to this problem should 
exploit a weakening of the A operators that occur in consequent formulas. Let us 
illustrate the idea as simply as possible for two propositions x, y and the formula 
A(x) =>■ A(y): every transition of x occurs concurrently with a transition of y. The 

formula is relaxed into the weaker A(x) =>■ O(^v) A D =s (x =>■ y): every transition 
of x also triggers a transition of y sometime in the future, as long as x still holds 5 time 
units in the future. The new formula is essentially equivalent to the original one for 
non-Berkeley behaviors for the following reasons. First, x must still hold S time units 
in the future, because its behavior is non-Berkeley for 6; hence y holds as well there 
and must transition somewhere over the interval (0, S) from the current instant. In ad- 
dition, the transition of y cannot occur asynchronously to the transition of x; otherwise 
two distinct transitions would occur within S time units, against the non-Berkeleyness 
assumption. In all, the two formulations are equivalent over non-Berkeley continuous 
time. Correspondingly, the ffi operator is introduced and used in the right-hand side of 



implications in the following continuous-time formulas (28 -36 1. 



3.4.1 Places 



p £ M : A(^ p ) 



p $ M : AQip) 



A 

Aue P . »'(Mp ~* T U ) 
V 

D [«,oo)(^Mp) 

V„ e .p (*»(/*„ - t u ) A AuVue**®^" - r u ,)) 
A 

A uep . K(Mp ~> r u ) 



A(->/i p ) =► V \mhMp ~* T„) A /\ K(->jU p t u ,) J A f\ Bhlip ~> r„) 



(28) 



(29) 



(30) 



After some semantic-preserving simplifications. 
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3.4.2 Transitions 



A(t„) 



A(-rr„) 



l(T„) 



A 



A 



A 



^ 0(Mp A e p ) A □ [ S , a („)) (Mp A e p ) 
V 

\ 0(Mp A ^e p ) A □ [5j0 ,( u )) (Mp A ^e p ) / 
Same as |5j 
Same as |6j 

\ (I 



0(Mp) 
A 

□=i(r„ => ^Mp 
v 



) / 



A A 



OW) 

\ n = 5 (-'-r„ => ^Mp) 
v 

V i»(->T„ ~-» C p ) 



a A 



(3D 

(32) 
(33) 



0(-/* P ) 

□ =s (t« =>■ Mp) / 
V 

V — «p) / 

/ ^ O(-Pp) \ N 

n=s(-'r« 
V 



(34) 



3.4.3 Zero-time unmarking 



/ ffi(ep-~>T„J A A„v«ae.*. !8 ( £ p~* r t.') 
A( £p ) =► V A 



=> V A ) < 35) 



b ep» 



3.4.4 Initialization 



□ 



(o,oo) w => A ^ A 0[o, 25] A ^ A o A e p A A r « I (36) 



The observations that have been introduced at the beginning of this section can be 



leveraged to provide a rigorous proof that ( 28 - 36 1 are equivalent to the original (|T}|9]l 
over non-Berkeley continuous time. We omit the details for brevity. 



3.5 Over-approximation 



The over-approximations of ( |28]f36] l are reported as formulas (37 -45 i. Notice the 
lower- and upper-bound relaxations in ( |40] - |42"| ), in accordance with the notion of over- 
approximation. 
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3.5.1 Places 



p G M : A (ai p ) 



p £ M : A (ai p ) 



( V„ e .„ (»W ~* t u ) a A u '^ ue .pffi(M P ~* r u /)) ^ 

A 

A„ ep . ffl(p P ~* n.) 
v 

D [a,oo)(^^p) 

V„ e .p («(/%. ~* t u ) A A u '^ ue .pS(Mp ~* r u /)) 

_ A 



A(^Mp) =>■ V »K-Aip — r u ) A /\ S(-A'p 



(37) 



(38) 



) ) A /\ i»(-A'p - r„) (39) 
ue.p 



3.5.2 Transitions 



(r„) 



J [i,3( u )/a-i] 



r« A /\ a«p 



J [i,/3( u )/a-i] 



'To A /\ Mp 

pG»it 



AK) 



A(-TT„) 



A 



A 



^ [O.o(t»)/S + 1] (MP A £ p) 

A <_ 



J [0,a(n)/5 + l] (Mp A ^£p) 

Vpe.J^P v □ [0 ,i](-'^)) 
v 

f '-' [l,j9(u)/i-l] ( £ p) ^ e P V '-'[0,1] (^ c p) 



'pg. u 



"[o,i](Mp) 

A 



J [0,2] k 



!!i(T 



"■Mp) 



£p) 



'-'[o 1 i](Mp) 

A 

D [0,2](^ r " => ^Mp) 
V 

ffl(-.T„ ~> £„) 



A 



[0,/3(«)/«-l] (^ e p) =* e P V ^[0,1] ( C p) 
V 
-iT« 



lj [o,i]>."'Mp) 
V 



□ 
□ 



□[, 

V 

,(^p) 



[i,/3(u)/«-i] ^p.» =^ ^ 6 P v LJ [n,i] 
A 

[0,/3(u)/5-l](^ e p) 
V 



e p v n [0il] (-.e p ) 
£ p v 0[o,i]( £ p) 



(40) 



J 



(41) 



(42) 



A A 



A 



D [0.1](^Mp) \ 

A 

D [0,2]( T " => Mp) / 

v 

n [o.i] (^Mp) 
A 

D [o,2](^ T « =* Mp) 
V 

KC -, ' r « ~* £ p) 



(43) 



Similarly as with under-approximation, formulas have been conveniently simpli- 
fied: the term Q(Mp A e p ) in the consequent of is over-approximated to 

□ [ 01 ](/i p A e p ), which is subsumed by the other term □ [o. a ( u )/s+i)(Hp A e p ) in the 
over-approximation. (In fact, a(u)/S +1 > 2 is the case). Subformulas -^t u V 

□ p X j (-"Tu) and r„ V Dp ^ (t„) in the over-approximations (42 1 and (42 1, respectively, 
can also be simplified. In fact, (40 » enforces marking and no zero-time unmarking for 
at least 3 time units whenever t u is triggered; hence n v cannot be triggered over [0, 1] 
so that the terms □ j j, (->r u ) and \3, x , (r u ) are redundant. 
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3.5.3 Zero-time unmarking 



A(e„) 



V 

■-ta G«p 













A 








((((^e P - 










A 


(ii(^e P - 


- r« b ) 





•„') 



(44) 




3.5.4 Initialization 



at 0: /\ -./i,, A 0=i A Mp ] A D [o,i] ( A e P A A r « ] < 45 > 

3.6 Quality of discrete-time approximations 

Proposition[T]guarantees that under-approximations preserve validity and over-approx- 
imations preserve counterexamples. It does not say anything about the quality (or com- 
pleteness) of such approximations; in particular an under-approximation can preserve 
validity trivially by being contradictory (i.e., inconsistent), and an over-approximation 
can preserve counterexamples trivially by being identically valid. 

In order to make sure this is not the case, let us introduce a set of constraints that 
guarantees no degenerate behaviors are modeled in the approximations. Consider for- 



mulas involving metric intervals, namely (22 - 24 1 for the under-approximations and 



(40 - 42 1 for the over-approximation. We should check that, for every transition u with 



dense-time firing interval [a(u) , f3(u)]: 

• non-emptiness. Metric intervals are non-empty; that is a(u) > 3<5 from the 
under-approximation and a(u) > —8, j3(u) > 28 from the over-approximation. 



• consistency. The the minimum enabling interval (defined in ( |22) and ( |40] > for 
under- and over-approximation respectively) is smaller than the maximum en- 



abling interval (defined in ( 23 24 1 and ( 41 - 42 1 for under- and over-approximation 



respectively). Correspondingly, we have the constraints f3{u) > a{u) — 28 from 
the under-approximation and (3(u) > a(u) + 26 from the over-approximation. 

The constraints can be summarized as a(u) > 38 and j3(u) > a(u) + 28. In our 
examples, we will consider only non-degenerate TPN satisfying these constraints. 



4 Multi-Paradigm Modeling and Verification at Work 

The multi-paradigm modeling technique presented in this paper is supported by the 
Zot bounded satisfiability checker lfT6l [TTIl . More precisely, we exploited the flexi- 
bility provided by the SAT-based approach pursued by Zot, and implemented several 
separate plugins to deal with the various allowed formalisms. In particular, the tool now 
includes plugins capable of dealing with dense-time MTL formulas [11 1, with timed 
automata [ 12], and with timed Petri nets (using the formalization presented in Section 
[3J. In addition, Zot is natively capable of accepting discrete-time MTL formulas as 
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input language. The plugins provide primitives through which the user can define the 
system to be analyzed as a mixture of timed automata, dense- and discrete-time MTL 
formulas, and timed Petri nets. The properties to be verified for the system can also be 
described as a combination of fragments written using the aforementioned formal lan- 
guages, though they are usually formalized through MTL formulas (either using dense 
or discrete time). 

The tool then automatically builds, for the dense-time fragments of the system 
and of the property to be analyzed, the two discrete-time approximation formulas of 
Proposition [T] These formulas, in possibly conjunction with MTL formulas natively 
written using a discrete notion of time, are checked for validity over time IN; the results 
of the validity check allows one to infer the validity of the integrated model, according 
to Proposition [T] 

The multi-paradigm verification process in Zot consists of three sequential phases. 
First, the discrete-time MTL formulas of Proposition [T] are built and are translated 
into a propositional satisfiability (SAT) problem. Second, the SAT instance (possibly 
including MTL formulas directly written using a discrete notion of time) is put into 
conjunctive normal form (CNF), a standard input format for SAT solvers. Third, the 
CNF formula is fed to a SAT solving engine (such as MiniSat, zChaff, or MiraXT). 

4.1 An Example of Multi-paradigm Modeling and Verification 

We demonstrate how the modeling and verification technique presented in this paper 
works in practice through an example consisting of a fragment of a realistic monitoring 
system, which could be part of a larger supervision and control system. 

The monitoring subsystem is composed of three identical sensors, a middle com- 
ponent that is in charge of acquiring and pre-processing the data from the sensors, and 
a data management component that further elaborates the data (e.g., to select appropri- 
ate control actions). For reasons of dependability (by redundancy), the three sensors 
measure the same quantity (whose nature is of no relevance in this example). Each 
one of them senses independently the measured quantity at a certain rate which is in 
general aperiodic; however, while the acquisition rate can vary, the distance between 
consecutive acquisitions must always be no less than T/2 and no more than T time 
units. Each sensor keeps track of only the last measurement, hence every new sensed 
value replaces the one stored by the sensor. 

The data acquisition component retrieves data from the three sensors in a "pull" 
fashion. More precisely, when all three sensors have a fresh measurement available, 
with a delay of at least T/10 units, but of no more than T/5 time units, the data acqui- 
sition component collects the three values from the sensors (which then become stale, 
as they have been acquired). After having retrieved the three measurements, the com- 
ponent processes them (e.g., it computes a derived measurement as the average of the 
sensed values); the process takes between T/5 and T/2 time units. 

After having computed the derived measurement, the data acquisition component 
sends it to the data manager, this time using a "push" policy which requires an ac- 
knowledgement of the data reception by the latter. The data acquisition component 
tries to send data to the data manager at most twice. If both attempts at data transmis- 
sion fail (for example because a timeout for the reception acknowledgement by the data 
manager expires, or because the latter signals a reception error), the data transmission 
terminates with an error. 

First, we model the mechanism through which the three sensors collect data from 
the field and the data acquisition component retrieves them for the pre-processing 
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phase. This fragment of the model is described through a timed Petri net, and is de- 
picted in Figure [T] 



collect1_enable collect2_enable collect3_enable 




processd 
[T/5, 112] 

Figure 1: Fragment of monitoring system modeled through a timed Petri net. 

In a multiple-paradigm framework, the reasons that lead to the choice of a notation 
instead of another often include a certain degree of arbitrariness. In this case, however, 
we chose to model the data acquisition part of the system through a TPN since we felt 
that the inherent asynchrony with which the three sensors collect data from the field 
was naturally matched by the asynchronous nature of a TPN and its tokens [ 10 1. While 
it is undeniable that different modelers might have made different choices, we maintain 
that TPN are well-suited (although not necessarily indispensable) in this case. 

A further fragment of the formal model of the monitoring system is shown in Fig- 
ure [2] It represents, through the formalism of timed automata presented in JT2], the 
transmission protocol that the data acquisition component uses to send refined values 
to the data manager]^] 




Figure 2: Fragment of data acquisition system modeled through a timed automaton. 
For this second fragment of the system, the formalism of timed automata was cho- 

As remarked in 1121 , since, in our formalization, the definition of clock constraints forbids the introduc- 
tion of exact constraints such as A = T2 , such constraints represent a shorthand for the valid clock constraint 
T 2 < A < T + S. 
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sen, with a certain degree of arbitrariness, because it was deemed capable of represent- 
ing the timing constraints on the protocol in a more natural way, especially for what 
concerns the constraint on the overall duration of the process. 

Finally, MTL formulas are added to "bridge the gap" between the fragments shown 
in Figures [T] and [2] This is achieved by the two following formulas, which define, 
respectively, that the transmission procedure can begin only if a pre-processed mea- 
surement value has been produced by the data acquisition component in the last T time 
units (46 1 and if the system is not in the middle of a data transmission (i.e., it is idle), 
and a new datum is being processed, a transmission will start within T/2 time units, 
due to the upper bound of process _d transition (47 1. 



try 







(0,T/2] 



(data_retrieved) 



data -retrieved A idle 







(O.T/2 



(try) 



(46) 
(47) 



Notice that the automata of Figures [T] and [2] are defined, as per the formalizations 
of |[T2l and of Section [3] over a continuous notion of time. This choice for the time 
domain of these two system fragments is justified by the fact that they deal with parts 
of the system interacting with physical elements (measured quantities, transmission 
channel), for which a continuous time seems better suited. 



Formulas ( 46 » and (47 1, instead, describe a software synchronization mechanism 



within the application. As a consequence, discrete time is more suitable to describe 



this part of the system, hence formulas (46 1 and (47 1 are to be interpreted accordingly. 

Finally, the model of the system to be verified is built by conjoining the discrete- 
time approximations for the fragments of Figures [Tp] and the discrete-time MTL for- 



mulas ( 46 »-( 47 1. More precisely, if ip 



N 



and V° 



are the continuous -time MTL for- 



mulas capturing the semantics of the net of Figure[T|(see Section^, ip^, ip% 6 are the 
continuous-time MTL formulas for the automaton of Figure [2] ipL is the discrete-time 
formula ipx, — (46 ) A (47 1, and tp prop is the continuous-time property to be checked for 



the system, then we have: 

<t>+ = A\w(n s (v^) a n s a v> £ ) => Aiw(o 5 (<r° p )) 

<p- = Alw(o 4 A O s A Vz,) => Alw(fi« (<T° P )) 

Note that formula ipi, which is to be interpreted over discrete time, must not be 
approximated. Then, if <f> + is M-valid, we can draw some interesting conclusions. 

First, if one implements a continuous-time system that does not vary faster than 
the sampling time 5 (i.e., whose behaviors are in 23*), which satisfies ip^, ipA> ar, d a 
continuous-time MTL formula ip' such that Qg (ip' L ) = ipL, then property (f> prop holds 
for this system. 

It can be shown that, for any continuous-time MTL formula (f>, the set of behaviors 
satisfying Os ((f)) is a subset of those satisfying ils (<j>) (i.e., {b | b |=u (</>)} C 
{b | b |=in ri,; ((f))}). In addition, given a discrete-time behavior b that satisfies Os (</>), 
from iTTTI Lemma 3] we have that any continuous-time non-Berkeley behavior b' for 
which b is a sampling satisfies <fr. Then, any way one reconstructs a continuous-time 
non-Berkeley behavior b' from a discrete-time one that satisfies Oa ((f>), b' satisfies (f>. 
This leads us to conclude that, if one builds a discrete-time system (e.g., a piece of 

software) which implements — that is, satisfies — Os fV'°' 5 )> 0<5 (^Pa^^ ^l, this 
satisfies discrete-time property Oa (</> prop ); in addition, any way one uses a discrete- 
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time behavior of this system to reconstruct a continuous-time, non-Berkeley behavior, 
the latter satisfies tpN, Vu> an d <j> prop - 



Finally, if cf> is not IN-valid, a discrete-time system implementing Os (ip® 1 
O s {iPa S )'^l violates property fi 5 (0 prop ). 

Verification. We used the system model presented above to check a number of prop- 



erties to validate the effectiveness of our approach. Table 4.1 shows the results, and 
duration of the tests. More precisely, for each test the table reports: the checked prop- 
erty; the values of the timing parameters in the model (i.e., T\, T2, T3, T); the temporal 
bound k of the time domain (as Zot is a bounded satisfiability checker, it considers all 
the behaviors with period < k); the total amount of time to perform each phase of the 
verification, namely formula building (including transformation into conjunctive nor- 
mal form), and propositional satisfiability checking; the results of the tests; the size (in 
millions of clauses) of the formula fed to the SAT-solver^] Tests were performed instan- 
tiating the parameters with different values to get an idea of how the performance of 
the verification algorithm is affected, both in terms of time to complete the verification 
and of whether the verification attempt is conclusive. In addition, the timed interaction 
between the data acquisition and monitoring subsystems is quite subtle and the prop- 
erties under verification hold in every run of the system only for certain combinations 
of parameter values. Automated verification allowed us to investigate this fact in some 
detail. 

First, we checked some properties concerning the liveness of the data collection by 



a sensor X (with X € {1, 2, 3}). More precisely, we analyzed whether property (48 1 
holds for the model0 

replaceX A new_dX =^> 
0/q t+s] (replaceX A ^new_dX V ^replaceX A new_dX) 

A 

replaceX A ^new_dX => 
0/q T+5 ] (replaceX A new_dX V ^replaceX A ^new_dX) 

A (48) 
^replaceX A new_dX 
0( t+s] (^replaceX A -inew_dX V replaceX A new_dX) 

A 

^replaceX A ^ncw_dX => 
0(o t+s] ("replaceX A new_dX V replaceX A ^new_dX) 



Formula (48 1 states that triggering events of replaceX and new_dX transitions must 
occur within T + S (with 5 the sampling period) time instants in the future, i.e., that 
either replaceX or new_dX must change value within the next T + 5 time instants. The 
property does not hold in general, since a firing of transition retrieve_d would reset the 
time counters for transitions replaceX and new_dX. This fact can be pointed out by 



checking <p , with prop = (48 1, which is unsatisfiable, as shown in Table 



4.1 



7 The verification tool and the complete model used for verification can be found at 
http://home.dei.polimi.it/pradella. Tests have been performed on a PC equipped 
with two Intel Xeon E5335 Quad-Core Processor 2GHz, 16 Gb of RAM, and GNU/Linux (kernel 2.6.29), 
using a single core for each test. Zot used the SAT-solver MiniSat 2. 

8 Recall that all properties to be proved are implicitly closed with the Alw operator. 
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If the additional hypothesis that transition retrieve_d does not fire along (0, T + 8], 



(48 i can however be shown to hold. More precisely, if (48 1 is rewritten, as shown in 



formula ( |49| >, by adding to the antecedents the condition that predicate retrieve_d does 
not change in (0, T + S] (i.e., transition retrieve_d does not fire in that interval), then 
the new cj) + is IN-valid (as Table|4.l|shows), hence (49 1 holds for the system. 



□ 



51 (retrieve_d) A replaceX A new_dX 



(o,T+<5] 

0(o t+s] (replaceX A ^new_dX V ^replaceX A new_dX) 
A — A 

□ ( T+(5 j (retrieve _d) A -ireplaceX A ->new_dX =>• 
0(o t+s] (^replaceX A new_dX V ^replaceX A new_dX) 

V (49) 

□ / T+S i (^retrieve_d) A replaceX A ^new_dX => 
0(o t+s] (replaceX A new_dX V ^replaceX A ^new_dX) 

A---A 

□ ( T+(5 j (^retrieved) A ^replaceX A ^new_dX 
0(o T + a]( _, replaceX A new_dX V ^replaceX A new_dX) 

Another liveness property is formalized by formula ( |50| , which states that a datum 
is retrieved (i.e., place data_retrieved is marked) at least every ~ time units. 



0( 3T] (data_retrieved) 



(50) 



Property ( 50 » cannot be established with our verification technique as it falls in 

+ is not valid and 



4.1 



shows); 



the incompleteness region (i.e., <fi + is not valid and (\T is valid, as Table 
from the automated check we cannot draw a definitive conclusion on the validity of the 
property for the system. If, however, the temporal bound of formula (|50| is slightly 



relaxed as in formula ( 5 1 1, not only the verification is conclusive, but it shows that the 
property in fact holds for the system. 



0(o, 2T] (data_retrieved) (51) 
Verification also shows that the original formula d50jl holds if the bo und o n transi- 



tions replaceX of the TPN is changed to T) (property (50 ) in Table 



4.1 



Formula ( 52 1 expresses the maximum delay between sensor collect and data send. 



More precisely, if each sensor has provided a measurement and transition retrieve_d 
fires, then the timed automaton will enter state try within T instants. The validity of 
this formula would allow us to check that the two parts of the system modeled by the 
TPN and by the TA are correctly "bridged" by axioms (46 1 and (47 i. As Table 4.1 



shows, property (52 1 does not hold; this occurs because, when place data_retrieved is 
marked, the TA might not be in state idle. 



data_retrieved =>■ 0(o T](^ r y) 



(52) 



Axiom (47 1 states that a try state is entered within T/2 if data_retrieved holds 
when idle holds. Then, a deeper analysis on the timing constraints suggests that this 
condition depends on the maximum transmission time T$ of the TA, which defines 
the maximum delay between two consecutive occurrences of idle. If the system is in 
data_retrieved and not in idle, then the next idle state will be within T 3 instants in the 
future; moreover, data_retrieved will be unmarked within T/2. This suggests that the 



following property (53 1 is valid: 
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□ /q T3 ](datajretrieved) => 0( 0i T](t r y) (53) 

This property also falls in the incompleteness region of the verification technique. 
However, the following slight relaxation of formula ( 53 i can be proved to hold for the 

system: 



□( ,T 3 +5]( data - retrieved ) (o ,T]( tr y) ( 54 ) 
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Table 2: Checking properties of the data monitoring system. 
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5 Discussion and Conclusion 



In this paper we presented a technique to formally model and verify systems using dif- 
ferent paradigms for different system parts. The technique hinges on MTL axiomatiza- 
tions of the different modeling notations, which provide a common formal ground for 
the various modeling languages, on which fully-automated verification techniques are 
built. We provided an MTL axiomatization of a subset of TPN, a typical asynchronous 
operational formalism, and showed how models could be built by formally combining 
together TPN and TA (a classic synchronous operational notation, for which an axiom- 
atization has been provided in [12J). In addition, we showed how the approach allows 
users to integrate in the same model parts described through a continuous notion of 
time, and parts described through a discrete notion of time. 

Practical verification of systems modeled through the multi-paradigm approach is 
possible through the Zot bounded satisfiability checker, for which plugins supporting 
the various axiomatized notations have been built. 

The technique has been validated on a non trivial example of data monitoring sys- 
tem. The experimental results show the feasibility of the approach, through which we 
have been able to investigate the validity (or, in some cases, the non validity) of some 
properties of the system. As described in Section|4] the verification phase has provided 
useful insights on the mechanisms and on the timing features of the modeled system, 
which led us to re-evaluate some of our initial beliefs on the system properties. 

It is clear from our experiments that, unsurprisingly, the technique suffers from 
two main drawbacks: the incompleteness of the verification approach by discretization 
evidenced in ifTTI . which prevented us, in some cases, to get conclusive answers on 
some analyzed properties; and the computational complexity of our method, which is 
based on the direct translation of TPN and TA into MTL formulas, approximated into 
discrete ones, and then encoded into SAT. This makes proofs considerably lengthier as 
the size of the domains, and especially of the temporal one, increases, as evidenced by 



Table 4. 1 Nevertheless, we maintain that the results we obtained are promising, and 
show the applicability of the technique on non trivial systems. This claim is supported 
on the one hand by the sophistication of the properties we have been able to prove 
(or disprove): it is inevitable that verification over continuous real-time has a high 
computational cost. On the other hand, while incompleteness is a hurdle to the full 
applicability of the technique, in practice it can be mitigated quite well, usually by 
slightly relaxing the real-time timing requirements under verification in a way that 
does not usually alter the gist of what is being verified. 

In our future research on this topic we plan to address the two main drawbacks 
evidenced above. First, we will work on extending the verification technique to expand 
its range of applicability and reduce its region of incompleteness. Also, we will study 
more efficient implementations for the Zot plugins through which the various modeling 
notations are added to the framework: we believe that more direct (therefore more 
compact, both in the literals and clause numbers) encodings into SAT of the TPN and 
TA axiomatizations should significantly improve the efficiency of the tool. 

In particular, we have not yet tackled the problem of optimizing the encodings 
of the TPN and TA axiomatizations into the SAT problem. We expect that significant 
improvements on the duration of the proofs can be gained through optimized encodings 
that reduce, on the one hand, the time needed to put formulas in the conjunctive normal 
form that is required as input by SAT solvers, and, on the other hand, the number of 
literals required to represent TPN and TA as SAT problems. 
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